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1.A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon 
EC2. 

The solution must analyze logs in real time, provide message replay, and persist logs. 

Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select 
two.) 

A. Amazon Athena 

B. Amazon Kinesis 

C. Amazon SQS 

D. Amazon Elasticsearch 

E. Amazon EMR 

Answer: B D 


2.A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification 
Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's 
S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the 
company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for 
further processing. 

The data includes personally identifiable information (PII). The company must remove data that is older 
than 30 days from the S3 bucket and the DynamoDB table. 

Which solution will meet this requirement with the MOST operational efficiency? 

A. Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire 
objects that are older than 30 days by using the TTL S3 flag. 

B. Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda 
function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire 
entires that are older than 30 days based on the TTL attribute. 

C. Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the 
S3 bucket. Update the Lambda function to delete entries that are older than 30 days. 

D. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update 
the Lambda function to delete entries that are older than 30 days. 

Answer: B 


3.A company is hosting a static website on Amazon S3 The company has configured an Amazon 
CloudFront distribution to serve the website contents. The company has associated an IAM WAF web 
ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States 
to address compliance restrictions. 

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass 
the CloudFront distribution 

Which combination of steps should the company take to remove direct access to the S3 URL? (Select 
TWO.) 

A. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution 

B. Create an origin access identity (OAI) for the S3 origin 

C. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches 
the secret value Deny all other requests 

D. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for 
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objects in the bucket 

E. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header 
a secret value. 

Answer: AD 


4.A company is testing its incident response plan for compromised credentials. The company runs a 
database on an Amazon EC2 instance and stores the sensitive data-base credentials as a secret in AWS 
Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic 
rotation function template. The EC2 instance and the Lambda function are deployed in the same private 
subnet. The VPC has a Secrets Manager VPC endpoint. 

A security engineer discovers that the secret cannot rotate. The security engineer determines that the 
VPC endpoint is working as intended. The Amazon Cloud-Watch logs contain the following error: 
"setSecret: Unable to log into database". 

Which solution will resolve this error? 

A. Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so 
that the secret automatically conforms with the structure that the database requires. 

B. Ensure that the security group that is attached to the Lambda function al-lows outbound connections to 
the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound 
connections from the security group that is attached to the Lambda function. 

C. Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database 
credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate 
rotation of the secret. 

D. Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route 
tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets 
Manager public endpoint. 

Answer: B 

Explanation: 

This answer is correct because ensuring that the security groups allow bidirectional communication 
between the Lambda function and the EC2 instance will resolve the error. The error indicates that the 
Lambda function cannot connect to the database, which might be due to firewall rules blocking the traffic. 
By allowing outbound connections from the Lambda function and inbound connections to the EC2 
instance, the security engineer can enable the rotation function to access and update the database 
credentials. 


5.A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon 
EC2 The solution must perform real-time analytics on the togs must support the replay of messages and 
must persist the logs. 

Which IAM services should be used to meet these requirements? (Select TWO) 

A. Amazon Athena 

B. Amazon Kinesis 

C. Amazon SQS 

D. Amazon Elasticsearch 

E. Amazon EMR 

Answer: B D 
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6.A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the 
company's Amazon EC2 instances. However, until the company implements the change, the company 
must protect the key file for the EC2 instances from read and write operations by any other users. 

When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the 
security administrator receives the following error. "Error Unprotected private key file - Permissions for 
ssh/my private key pern' are too open". 

Which command should the security administrator use to modify the private key Me permissions to 
resolve this error? 

A. chmod 0040 ssh/my private key pern 

B. chmod 0400 ssh/my private key pern 

C. chmod 0004 ssh/my private key pern 

D. chmod 0777 ssh/my private key pern 

Answer: B 

Explanation: 

The error message indicates that the private key file permissions are too open, meaning that other users 
can read or write to the file. This is a security risk, as the private key should be accessible only by the 
owner of the file. To fix this error, the security administrator should use the chmod command to change the 
permissions of the private key file to 0400, which means that only the owner can read the file and no one 
else can read or write to it. 

The chmod command takes a numeric argument that represents the permissions for the owner, group, 
and others in octal notation. Each digit corresponds to a set of permissions: read (4), write (2), and 
execute (1). The digits are added together to get the final permissions for each category. For example, 
0400 means that the owner has read permission (4) and no other permissions (0), and the group and 
others have no permissions at all (0). 

The other options are incorrect because they either do not change the permissions at all (D), or they give 
too much or too little permissions to the owner, group, or others (A, C). 

References: 

https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder 
https://www.baeldung.com/linux/ssh-key-permissions 


7.A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job 
functions within the company. To balance operational efficiency and security, a security engineer 
implemented AWS Organizations SCPs to restrict access to critical security services in all company 
accounts. 

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP 
that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and 
AWS Security Hub. The security engineer also must not override other permissions that are granted by 
IAM policies that are defined in the accounts. 

Which SCP should the security engineer attach to the root of the organization to meet these 
requirements? 

A) 
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"Version": "2012-10-17", 
"Statement" ":[ 
{ 

“Effect”: “Deny”, 

“Action”: [ 
"guardduty:DeleteDetector", 
"guardduty:UpdateDetector", 
“securityhub: DisableSecurityHub” 

], 

“Resource”: [ 


Moe ff 


] 


Mv 


i 
"Version": "2012-10-17", 
"Statement'":[ 
{ 
“Effect”: “Deny”, 
“action” : et 
"Resource": “*” 
b, 
{ 
“Effect”: “Allow”, 
"NotAction": [ 
"guardduty:DeleteDetector", 
"quardduty:UpdateDetector", 
"securityhub:DisableSecurityHub" 
l, 
“Resource”: [ 


Mew 


] 
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{ 
"Version": "2012-10-17", 
"Statement"":[ 


1 
"Effect": v*ALLOow", 
"Action" : IE 
“Resource”: “*” 


Hr 
{ 


“Effect”: “Deny”, 

“NotAction”: [ 

"guardduty:DeleteDetector", 

"guardduty:UpdateDetector", 

"securityhub:DisableSecurityHub" 
], 


“Resource”: [ 


Mew 


] 


D) 

{ 

"Version": "2012-10-17", 
"Statement'/":[ 


{ 
"Effect": "Allow", 

"NotAction": [ 
"guardduty:DeleteDetector", 
"guardduty:UpdateDetector", 
“securityhub: DisableSecurityHub” 


]; 


"Resource":[ 


Mew 


] 


A. Option A 
B. Option B 
C. Option C 
D. Option D 
Answer: A 


8.A company is building a data processing application mat uses AWS Lambda functions. The application's 
Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC 
in the same AWS account 

Which solution meets these requirements in the MOST secure way? 
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A. Configure the DB instance to allow public access Update the DB instance security group to allow 
access from the Lambda public address space for the AWS Region 

B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide 
outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic 
from 0.0.0.0/0 

C. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide 
outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic 
from the Lambda security group 

D. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access 
without the need for security groups 

Answer: C 

Explanation: 

This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with 
the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows 
outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the 
Lambda security group. This solution ensures that the Lambda functions can communicate with the DB 
instance securely and that the DB instance is not exposed to the public internet. 


9.A company has an application that uses an Amazon RDS PostgreSQL database. The company is 
developing an application feature that will store sensitive information for an individual in the database. 
During a security review of the environment, the company discovers that the RDS DB instance is not 
encrypting data at rest. The company needs a solution that will provide encryption at rest for all the 
existing data and for any new data that is entered for an individual. 

Which combination of options can the company use to meet these requirements? (Select TWO.) 

A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption 
for the copy process. Use the new snapshot to restore the DB instance. 

B. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB 
instance. Use the snapshot to restore the DB instance. 

C. Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awards key. 
Select this key as the encryption key for operations with Amazon RDS. 

D. Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption 
key for operations with Amazon RDS. 

E. Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore 
the DB instance. 

Answer: C E 


10.Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' 


are encrypted. 
A) 
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"Version":"2012-10-17", 
"Id":"PutObj", 

"Statement":[( 
"Sid";"DenyUploads", 
"Effect";"Deny", 

"Principal":"*", 
"Action":"s3:PutObject", 
"Resource":"arn:aws:s3:::demo/*", 
"Condition":( 

"StringNotEquals":( 
"s3:x-amz-server-side-encryption":"aws:kms" 


"Version":"2012-10-17", 
"Id":"PutObj", 

"Statement":[( 
"Sid":"DenyUploads", 
"Effect";"Deny", 

"Principal";"*", 
"Action":"s3:PutObject", 
"Resource":"arn:aws:s3:::demo/*", 
"Condition":( 

"StringEquals":( 
"s3:x-amz-server-side-encryption":"aws:kms" 


— c — € ad 
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"Version":"2012-10-17", 
"Id";"PutObj", 

"Statement":[( 
"Sid":"DenyUploads", 

"Effect":" Deny", 

"Principal":"*", 
"Action":"s3:PutObject", 
"Resource":;"arn:aws:s3::demo/*" 


} 

} 

] 
} 

D) 
"Version":"2012-10-17", 
"Id";"PutObj", 


"Statement":[( 

"Sid";"DenyUploads", 

"Effect";"Deny", 

"Principal":"*", 

"Action":"s3:PutObjectEncrypted", 

"Resource":"arn:aws:s3:::demo/*" 

} 

} 

] 

} 

A. Option A 

B. Option B 

C. Option C 

D. Option D 

Answer: A 

Explanation: 

The condition of "s3:x-amz-server-side-encryption":"IAM:kms" ensures that objects uploaded need to be 
encrypted. 

Options B,C and D are invalid because you have to ensure the condition of 
ns3:x-amz-server-side-encryption":"IAM:kms" is present 

For more information on IAM KMS best practices, just browse to the below URL: 
https://dl.JAMstatic.com/whitepapers/IAM-kms-best-praaices.pdf 


9/10 


Download the latest SCS-C02 exam dumps for best preparation 


The correct answer is: { 
"Version":"2012-10-17", 
"Id":"PutObj", 

"Statement":[1 
"Sid":"DenyUploads", 
"Effect":"Deny", 

"Principal":"*", 
"Action":"s3:PutObject", 
"Resource":"arn:aws:s3:::demo/*", 
"Condition": 


"stringNotEquals":( 


"S3:x-amz-server-side-encryption":"aws:kms" 


Submit your Feedback/Queries to our Expert 


11.A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS 
Region. The organization's management account is named management-01. The company has turned on 
AWS Config in all accounts in the organization. The company has designated an account named 
security-01 as the delegated administrator for AWS Config. 

All accounts report the compliance status of each account's rules to the AWS Config delegated 
administrator account by using an AWS Config aggregator. Each account administrator can configure and 
manage the account's own AWS Config rules to handle each account's unique compliance requirements. 
A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to 
all existing and future AWS accounts in the organization. The solution must turn on AWS Config 
automatically during account creation. 

Which combination of steps will meet these requirements? (Select TWO.) 

A. Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the 
template by using CloudFormation StackSets in the security-01 account. 

B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance 
pack from the security-01 account. 

C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance 
pack from the management-01 account. 

D. Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using 
CloudFormation StackSets in the security-01 ac-count. 

E. Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using 
CloudFormation StackSets in the management-01 account. 

Answer: B E 


10 / 10 


